#!/bin/bash
# We assume we are executed from extras/tests/tls

function fail()
{
	echo "TLS TEST ERROR: $*"
	exit 1
}

CIPHERSCAN="cipherscan"
OPENSSL="openssl"
if [ -x ~/cipherscan ]; then
	CIPHERSCAN="$HOME/cipherscan/cipherscan"
	OPENSSL="$HOME/cipherscan/openssl"
elif [ -x /home/travis/build/unrealircd/unrealircd/cipherscan/cipherscan ]; then
	CIPHERSCAN="/home/travis/build/unrealircd/unrealircd/cipherscan/cipherscan"
	OPENSSL="/home/travis/build/unrealircd/unrealircd/cipherscan/openssl"
elif [ -x ../../../cipherscan/ ]; then
	CIPHERSCAN="`readlink -f ../../../cipherscan/cipherscan`"
	OPENSSL="`readlink -f ../../../cipherscan/openssl`"
fi

$CIPHERSCAN --help >/dev/null || exit 1


# This is the basic cipherscan test.
# It compares the output against a reference .txt file and alarms us if there
# are any changes. These changes may not always be harmful, but at least we
# will get warned on any possible changes.
$CIPHERSCAN --no-colors 127.0.0.1:5901|grep -vF '.....' >cipherscan.test.txt

# Now check if profile matches, if so.. everything is ok.
# We have 1 or more baseline profiles
# And you can optionally add profile-specific, eg openssl-102.txt
# Yeah that was a great idea but maintaining that is a bit of a hassle.
# TODO: reintroduce it though, see below.
##for f in cipherscan_profiles/baseline*txt cipherscan_profiles/$BUILDCONFIG.txt
FAILED=1
for f in cipherscan_profiles/*.txt
do
	diff -uab $f cipherscan.test.txt 1>/dev/null 2>&1
	if [ "$?" -eq 0 ]; then
		FAILED=0
		echo "Cipherscan profile $f matched."
		break
	fi
done

if [ "$FAILED" -eq 1 ]; then
	echo "*** Differences found between cipherscan scan and expected output ***"
	if [ -f cipherscan_profiles/$BUILDCONFIG.txt ]; then
		COMPARE_PROFILE="cipherscan_profiles/$BUILDCONFIG.txt"
	else
		COMPARE_PROFILE="cipherscan_profiles/baseline.txt"
	fi
	echo "== EXPECTED OUTPUT ($COMPARE_PROFILE) =="
	cat $COMPARE_PROFILE
	echo
	echo "== ACTUAL TEST OUTPUT =="
	cat cipherscan.test.txt
	echo
	echo "== DIFF =="
	diff -uab $COMPARE_PROFILE cipherscan.test.txt
	echo
	echo "cipherscan test failed."
	exit 1
else
	echo "*** Cipherscan output was good ***"
	cat cipherscan.test.txt
fi

# This checks for a couple of old ciphers that should never work:
for cipher in 3DES RC4
do
	echo "Testing cipher $cipher (MUST FAIL!).."
	(echo QUIT|$OPENSSL s_client -connect 127.0.0.1:5901 -cipher $cipher) &&
	fail "UnrealIRCd allowed us to connect with cipher $cipher, BAD!"
done

# This checks older SSL/TLS versions that should not work:
for protocol in ssl2 ssl3
do
	echo "Testing protocol $protocol (MUST FAIL!).."
	(echo QUIT|$OPENSSL s_client -connect 127.0.0.1:5901 -$protocol) &&
	fail "UnrealIRCd allowed us to connect with protocol $protocol, BAD!"
done

echo
echo "TLS tests ended (no issues)."
exit 0
